Example 1 with Statement
use of com.sun.identity.saml.assertion.Statement in project OpenAM by OpenRock.
the class FSDefaultSPAdapter method postSSOFederationSuccess.
/**
* Invokes this method after the successful Single Sign-On or Federation.
* @param hostedEntityID provider ID for the hosted SP
* @param request servlet request
* @param response servlet response
* @param ssoToken user's SSO token
* @param authnRequest the original authentication request sent from SP
* @param authnResponse response from IDP if Browser POST or LECP profile
* is used for the request, value will be null if Browser Artifact
* profile is used.
* @param samlResponse response from IDP if Browser Artifact profile is used
* for the request, value will be null if Browser POST or LECP
* profile is used.
* @exception FederationException if user want to fail the process.
* @return true if browser redirection happened, false otherwise.
*/
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
}
// find out if this is a federation request
boolean isFederation = false;
if (authnRequest == null) {
FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
} else {
String nameIDPolicy = authnRequest.getNameIDPolicy();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
}
if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
isFederation = true;
}
}
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
if (isFederation && adminToken != null) {
try {
// get name Identifier
String nameId = null;
List assertions = null;
String idpEntityId = null;
if (authnResponse != null) {
// POST profile
assertions = authnResponse.getAssertion();
idpEntityId = authnResponse.getProviderId();
} else {
// Artifact profile
assertions = samlResponse.getAssertion();
}
FSAssertion assertion = (FSAssertion) assertions.iterator().next();
if (idpEntityId == null) {
idpEntityId = assertion.getIssuer();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
}
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
int stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
FSSubject subject = (FSSubject) authStatement.getSubject();
NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
if (ni == null) {
ni = subject.getNameIdentifier();
}
if (ni != null) {
nameId = ni.getName();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
}
break;
}
}
if (nameId == null) {
FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
return false;
}
Map map = new HashMap();
Set set = new HashSet();
set.add("|" + hostedEntityID + "|" + nameId + "|");
map.put("iplanet-am-user-federation-info-key", set);
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
Set amIdSet = searchResults.getSearchResults();
if (amIdSet.size() > 1) {
String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
}
String metaAlias = null;
try {
IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
if (metaManager != null) {
SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
} catch (IDFFMetaException ie) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
}
}
FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
// previous federation exists with different users
Iterator it = amIdSet.iterator();
while (it.hasNext()) {
AMIdentity amId = (AMIdentity) it.next();
// compare with the SSO token
String tmpUnivId = IdUtils.getUniversalId(amId);
if (univId.equalsIgnoreCase(tmpUnivId)) {
continue;
}
// remove federation information for this user
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
}
accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
}
}
} catch (FSAccountMgmtException f) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
} catch (IdRepoException i) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
} catch (SSOException e) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
}
}
return false;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
FSSubject(com.sun.identity.federation.message.FSSubject)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
HashMap(java.util.HashMap)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
SPDescriptorConfigElement(com.sun.identity.federation.jaxb.entityconfig.SPDescriptorConfigElement)
SSOException(com.iplanet.sso.SSOException)
FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)
FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager)
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
List(java.util.List)
HashSet(java.util.HashSet)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Statement(com.sun.identity.saml.assertion.Statement)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
IdRepoException(com.sun.identity.idm.IdRepoException)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 2 with Statement
use of com.sun.identity.saml.assertion.Statement in project OpenAM by OpenRock.
the class SAMLUtils method examAssertions.
/**
* Determines if there is a valid SSO Assertion
* inside of SAML Response.
*
* @param assertions a List of <code>Assertion</code> objects
* @return a Subject object
* @exception IOException IOException
*/
public static com.sun.identity.saml.assertion.Subject examAssertions(List assertions) throws IOException {
if (assertions == null) {
return null;
}
boolean validation = false;
com.sun.identity.saml.assertion.Subject subject = null;
Iterator iter = assertions.iterator();
while (iter.hasNext()) {
Assertion assertion = (Assertion) iter.next();
if (!checkCondition(assertion)) {
return null;
}
debug.message("Passed checking Conditions!");
// exam the Statement inside the Assertion
Set statements = new HashSet();
statements = assertion.getStatement();
if (statements == null || statements.isEmpty()) {
debug.error(bundle.getString("noStatement"));
return null;
}
Iterator iterator = statements.iterator();
while (iterator.hasNext()) {
Statement statement = (Statement) iterator.next();
subject = ((SubjectStatement) statement).getSubject();
SubjectConfirmation sc = subject.getSubjectConfirmation();
Set cm = new HashSet();
cm = sc.getConfirmationMethod();
if (cm == null || cm.isEmpty()) {
debug.error("Subject confirmation method is null");
return null;
}
String conMethod = (String) cm.iterator().next();
// on Assertion version number
if ((conMethod != null) && (assertion.getMajorVersion() == SAMLConstants.ASSERTION_MAJOR_VERSION) && (((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ONE) && conMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || ((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ZERO) && (conMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT))))) {
if (debug.messageEnabled()) {
debug.message("Correct Confirmation method");
}
} else {
debug.error("Wrong Confirmation Method.");
return null;
}
if (statement instanceof AuthenticationStatement) {
//found an SSO Assertion
validation = true;
}
}
// end of while (iterator.hasNext()) for Statements
}
if (!validation) {
debug.error(bundle.getString("noSSOAssertion"));
return null;
}
return subject;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
Statement(com.sun.identity.saml.assertion.Statement)
AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
Assertion(com.sun.identity.saml.assertion.Assertion)
Subject(com.sun.identity.saml.assertion.Subject)
AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement)
SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation)
CharacterIterator(java.text.CharacterIterator)
Iterator(java.util.Iterator)
StringCharacterIterator(java.text.StringCharacterIterator)
HashSet(java.util.HashSet)
Example 3 with Statement
use of com.sun.identity.saml.assertion.Statement in project OpenAM by OpenRock.
the class SAMLUtils method isAuthNAssertion.
/**
* Returns true if the assertion is valid both time wise and
* signature wise, and contains at least one AuthenticationStatement.
* @param assertion <code>Assertion</code> instance to be checked.
* @return <code>true</code> if the assertion is valid both time wise and
* signature wise, and contains at least one AuthenticationStatement.
*/
public static boolean isAuthNAssertion(Assertion assertion) {
if (assertion == null) {
return false;
}
if ((!assertion.isTimeValid()) || (!assertion.isSignatureValid())) {
return false;
}
Set statements = assertion.getStatement();
Statement statement = null;
Iterator iterator = statements.iterator();
while (iterator.hasNext()) {
statement = (Statement) iterator.next();
if (statement.getStatementType() == Statement.AUTHENTICATION_STATEMENT) {
return true;
}
}
// loop through statements
return false;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
Statement(com.sun.identity.saml.assertion.Statement)
AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
CharacterIterator(java.text.CharacterIterator)
Iterator(java.util.Iterator)
StringCharacterIterator(java.text.StringCharacterIterator)
Example 4 with Statement
use of com.sun.identity.saml.assertion.Statement in project OpenAM by OpenRock.
the class SAML11RequestedSecurityToken method getAttributes.
/**
* @return a list of attributes of type
* <code>com.sun.identity.saml.assertion.Attribute</code>
*/
public List getAttributes() {
AttributeStatement attributeStatement = null;
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
if (statement.getStatementType() == Statement.ATTRIBUTE_STATEMENT) {
attributeStatement = (AttributeStatement) statement;
break;
}
}
if (attributeStatement == null) {
return null;
}
return attributeStatement.getAttribute();
}
Also used :
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
Statement(com.sun.identity.saml.assertion.Statement)
AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement)
Iterator(java.util.Iterator)
Example 5 with Statement
use of com.sun.identity.saml.assertion.Statement in project OpenAM by OpenRock.
the class DefaultPartnerAccountMapper method getUser.
/**
* Returns user account in OpenAM to which the
* subject in the assertion is mapped. This method will be called in POST
* profile, ARTIFACT profile, AttributeQuery and AuthorizationDecisionQuery.
*
* @param assertions a list of authentication assertions returned from
* partner side, this will contains user's identity in
* the partner side. The object in the list will be
* <code>com.sun.identity.saml.assertion.Assertion</code>
* @param sourceID source ID for the site from which the subject
* originated.
* @param targetURL value for TARGET query parameter when the user
* accessing the SAML aware servlet or post profile
* servlet
* @return Map which contains NAME, ORG and ATTRIBUTE keys, value of the
* NAME key is the user DN, value of the ORG is the user
* organization DN, value of the ATTRIBUTE is a Map
* containing key/value pairs which will be set as properties
* on the OpenAM SSO token, the key is the SSO
* property name, the value is a String value of the property.
* Returns empty map if the mapped user could not be obtained
* from the subject.
*/
public Map getUser(List assertions, String sourceID, String targetURL) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("DefaultPartnerAccountMapper:getUser(" + "List) targetURL = " + targetURL);
}
Map map = new HashMap();
Subject subject = null;
Assertion assertion = (Assertion) assertions.get(0);
Iterator iter = assertion.getStatement().iterator();
while (iter.hasNext()) {
Statement statement = (Statement) iter.next();
if (statement.getStatementType() != Statement.AUTHENTICATION_STATEMENT) {
continue;
}
Subject sub = ((SubjectStatement) statement).getSubject();
SubjectConfirmation subConf = sub.getSubjectConfirmation();
if (subConf == null) {
continue;
}
Set cms = subConf.getConfirmationMethod();
if (cms == null || cms.isEmpty()) {
continue;
}
String cm = (String) cms.iterator().next();
if (cm != null && (cm.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
subject = sub;
break;
}
}
if (subject != null) {
getUser(subject, sourceID, map);
Map attrMap = new HashMap();
SAMLUtils.addEnvParamsFromAssertion(attrMap, assertion, subject);
if (!attrMap.isEmpty()) {
map.put(ATTRIBUTE, attrMap);
}
}
return map;
}
Also used :
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
Set(java.util.Set)
SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation)
HashMap(java.util.HashMap)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
Statement(com.sun.identity.saml.assertion.Statement)
Assertion(com.sun.identity.saml.assertion.Assertion)
Iterator(java.util.Iterator)
HashMap(java.util.HashMap)
Map(java.util.Map)
Subject(com.sun.identity.saml.assertion.Subject)
Aggregations
Statement (com.sun.identity.saml.assertion.Statement)15
Iterator (java.util.Iterator)15
AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)9
SubjectStatement (com.sun.identity.saml.assertion.SubjectStatement)9
Set (java.util.Set)8
AuthenticationStatement (com.sun.identity.saml.assertion.AuthenticationStatement)7
HashSet (java.util.HashSet)7
Subject (com.sun.identity.saml.assertion.Subject)6
SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)5
Assertion (com.sun.identity.saml.assertion.Assertion)4
CharacterIterator (java.text.CharacterIterator)4
StringCharacterIterator (java.text.StringCharacterIterator)4
HashMap (java.util.HashMap)4
List (java.util.List)4
ArrayList (java.util.ArrayList)3
Date (java.util.Date)3
FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)2
FSAssertion (com.sun.identity.federation.message.FSAssertion)2
FSAuthenticationStatement (com.sun.identity.federation.message.FSAuthenticationStatement)2
FSSubject (com.sun.identity.federation.message.FSSubject)2
